ruby on rails - Doorkeeper refresh token and concurrency -
in current implementation of doorkeeper, when access_token refreshed doorkeeper sends new refresh_token.this valid implementation becomes problematic when there concurrent apis calls client side (ios, android) calling refresh access token @ same time. means there @ least 1 thread ending expired tokens cant refresh.
anyone has solution race condition?
we've solved before (not doorkeeper) couple of different ways.
request queue:
on our mobile apps we've implemented request queue, , before request made check if token needs refreshed pause queue, refresh token, unpause again. no changes server required in case
this has tradeoffs (you need sync request threads etc), pretty reliable @ stopping refresh contention without needing modify server.
refresh jitter , jwt:
since using jwt (where access_token
expiry written token , not revoked @ server end), can add random number of "jitter seconds" refresh expiry each time check. decreases likelihood of 2 requests trying refresh @ same time. used in angularjs app confused several tabs open. there random chance 1 tab refresh before rest, while rest continue use existing access_token
until new 1 returned , updated.
this work without jwt if can manage access_tokens stay valid when corresponding refresh token used, allow 'other' requests continue use 'old' token until next time.
it's not entirely foolproof, reduced likelihood enough happy it.
expiry buffers tokens:
the last way when refresh executed, don't expire token few seconds later 'concurrent' threads new token returned. easy enough when i'd written server component scratch, might not easy doorkeeper. think you'd more milage other 2 approaches.
Comments
Post a Comment